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IN ! T HE UNITED STATES PATENT AND TRADEMARK OFFICE 



In re application of 
Jean-Jacques CHEVREUL et al. 

New U.S. Patent Appln. 
corr. to Int'l Patent 
Appln. No, PCT/FR98/01879 

Filedj September 2, 1998 



For: 



I 



METHOD AND AN INSTALLATION FOR DOWNLOADING A 
SER DECODER PLATFORM 



PRELIMINARY AMENDMENT 



Assistant Commissioner for Patents 
Washi^gt on, D . C . 20231 



SIR 



Jrior to examination, please amend the application 
as foJfLows: 



IN THAr CLAIMS 



PleasJ| delete claims 1-10 and insert claims 11-20 as 
folloi|J : 

11/ A method of downloading operating software 
specific to one of a plurality of operators into a 



general-purpose digital television platform of a 
decoded, comprising the steps of: 

■ ' storing a boot loader including filter fields 
specific to the decoder definitively on manufacture in 
a projected and non-rewritable memory zone of the 
platf oj:m; 

periodically broadcasting a message identifying 
the platform and containing operating software making 
the pBatfotm suitable for decoding a data stream of a 
televfeionj signal of an operator and for processing 
servifes cjf said operator periodically in a digital 
televraion' signal that comes from each of the operators 
that B^de ^ an agreement with a manufacturer of the 
platf firm and that is designed to be accessible, each of 
said Jpssages having an electronic signature; 

on reception, filtering messages containing the 
operafjLng software and identifying the platform and the 
operalpr in response to a user selection command, using 
the aslter fields and writing said messages into a 



rewrippble program memory. 

12/ J^. method according to claim 11, wherein the 
operating software is transmitted in the form of data 
to bejgjrograinmed in said rewritable memory, in the form 
of d^ra blocks each copied at a respective address of 
the'vjitabie memory and supplied in the header of the 
block* 

13/ 2f methlod according to claim 12, wherein said data 
block*] are, each preceded by a header block comprising a 
descrKptioii of the respective application and a 
description of each of the data blocks. 



14/ ; iWmetKpd according to claim 13, wherein each said 
data J^ock|includes an error correction code. 



15/ A method according to claim 13 , wherein the header 
includes at least one of the following fields: 

• an identity of the platform manufacturer ; 
■ a hardware version of the platform) ; 

• a mode of acquisition of the decoder by a 
customer ; 

an identity of the current version of the 

software ; and 

• an individual serial number of the decoder . 

16/ A method according to claim 2, wherein SI or PSI 
information is associated with each said broadcast 
message containing operating software and said 

information includes at least one of a plurality of 
fields selected among: 

identity of a manufacturer of the platform; 

hardware version of the platform; 

decoder acquisition mode; 

identity of a current version of software 
loaded in the platform; and 

an individual serial number of the decoder. 

17/ A method according to claim 14, wherein each of the 
data blocks is associated with an encrypted signature 
included in the header, and in that the header itself 
includes an encrypted signature. 

18/ A system for downloading application software into 
digital television decoder platforms, comprising: 

• in each of said platforms, a general-purpose 
processor module that is independent of any television 
operator, that contains identification keys, and that 
is arranged: 



to extract a data stream representing 
(operating software specific to a program pack offered 
lb* an operator and coming from that one of a plurality 
[of operators that is selected at that time by the user, 
to authenticate the application software by 
implementing the identification keys and 

to record the software in a rewritable 
program memory for; storing said software, and to 
control the decoder to implement the services 
identified by the software; and 

in a broadcasting station, means for 
repetitively inserting in a broadcast digital data 
stream both a sequtence of blocks representing said 
application software and information describing 
indentification features of only those decoders that 
are to be loaded. 

19/ An installation .according to claim 18, wherein the 
processor module Comprises, in addition to the 
rewritable memory, a processor, a volatile memory (3 6) 
that is directly accessible by the processor, and a 
non-volatile memory zone which is protected, not 
rewritable, and which is protected agaist access from 
the outside. 

20/ An installation according to claim IS, wherein the 
protected non-volatile memory zone is part of a flash 
memory. 



REMARKS 

Claims 11 - 20 are in the case. The claims of the PCT 

application have been reviewed for better compliance 

with U.S. patent Office practice and for removing 



4 



Pax emis^par: 33(0)1 42 au ux »9 



multiple dependencies- They further take account of 
prior art cited during the preliminary international 
examination* 

An early and favorable action allowing claims, all 
claims in the case, is respectfully requested. 



Respectfully submitted, 



Date: March 3, 200 0 



m 



By: 




Douglas 
Reg. No, 




E . Jackson 
28518 



Larson & Taylor 

Transpotomac Plaza 
1 199 North Fairfax Street, Suite 900 
Alexandria, Virginia 22314-1437 
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IN THE UNITED STATES PATEKTT AND TRADEMARK OFFICE 



In re Application of: Jean- Jacques CHEVREUL and Michel PONS 
Serial No; 



For: A METHOD AND AN INSTALLATION FOR DOWNLOADING A USER DECODER 
PLATFORM 



I , Andrew Scott Marland, of 35, avenue Chevreul, 92270 BOIS 
COLOMBES, France, declare that I am well acquainted with the 
English and French languages and that the attached translation of 
the French language PCT international application. Serial 
No. PCT/FR98/01879 is a true and faithful translation of that 
document . 

All statements made herein are to my own knowledge true, and 
all statements made on information and belief are believed to be 
true; and further, these statements are made with the knowledge 
that willful false statements and the like so made are punishable 
by fine or imprisonment, or both, under Section 1001 of Title 18 
of the United States Code and that such willful false statements 
may jeopardize the validity of the application or any document or 
any registration resulting therefrom. 



Filed: 



DECLARATION 



Date: February 25, 2000 




Andrew Scott Marland 
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IN THE UNITED STATES PATENT AND TRADEMARK OFFICE 



In re application of ) 
Jean- Jacques CHEVREUL et al. ) 

New U.S. Patent Appln. ) 
corr. to Int ! l Patent ) 
Appln. No. PCT/FR98/01879 ) 

Filed: September 2, 1998 ) 

For: A METHOD AND AN INSTALLATION FOR DOWNLOADING A 
USER DECODER PLATFORM 

PRELIMINARY AMENDMENT 

Assistant Commissioner for Patents 
Washington, D.C, 20231 



SIR: 

Prior to examination, please amend the application 
as follows: 

IN THE CLAIMS 

Please delete claims 1-10 and insert claims 11-20 as 
follows : 

11/ A method of downloading operating software 
specific to one of a plurality of operators into a 



1 



COPY 

general-purpose digital television platform of a 
decoder, comprising the steps of: 

• storing a boot loader including filter fields 
specific to the decoder definitively on manufacture in 
a protected and non-rewritable memory zone of the 
platform; 

• periodically broadcasting a message identifying 
the platform and containing operating software making 
the platform suitable for decoding a data stream of a 
television signal of an operator and for processing 
services of said operator periodically in a digital 

% television signal that comes from each of the operators 

| that made an agreement with a manufacturer of the 

I platform and that is designed to be accessible, each of 

£ said messages having an electronic signature; 

| • on reception, filtering messages containing the 

T operating software and identifying the platform and the 

* operator in response to a user selection command, using 

j the filter fields and writing said messages into a 

| rewritable program memory. 

t 12/ A method according to claim 11, wherein the 

% operating software is transmitted in the form of data 

to be programmed in said rewritable memory, in the form 
of data blocks each copied at a respective address of 
the writable memory and supplied in the header of the 
block . 

13/ A method according to claim 12, wherein said data 
blocks are each preceded by a header block comprising a 
description of the respective application and a 
description of each of the data blocks. 

14/ A method according to claim 13, wherein each said 
data block includes an error correction code. 



2 



COPY 

15/ A method according to claim 13 , wherein the header 
includes at least one of the following fields: 

- an identity of the platform manufacturer ; 

* a hardware version of the platform) ; 

a mode of acquisition of the decoder by a 
customer ; 

an identity of the current version of the 
software ; and 

• an individual serial number of the decoder . 



16/ A method according to claim 2, wherein SI or PSI 
information is associated with each said broadcast 
message containing operating software and said 

information includes at least one of a plurality of 
fields selected among: 

identity of a manufacturer of the platform; 

hardware version of the platform; 

decoder acquisition mode; 

identity of a current version of software 
loaded in the platform; and 

an individual serial number of the decoder. 

17/ A method according to claim 14, wherein each of the 
data blocks is associated with an encrypted signature 
included in the header, and in that the header itself 
includes an encrypted signature. 

8/ A system for downloading application software into 
digital television decoder platforms, comprising: 

* in each of said platforms, a general-purpose 
processor module that is independent of any television 
operator, that contains identification keys, and that 
is arranged: 



3 



copy 



to extract a data stream representing 
operating software specific to a program pack offered 
by an operator and coming from that one of a plurality 
of operators that is selected at that time by the user, 
to authenticate the application software by 
implementing the identification keys and 

to record the software in a rewritable 
program memory for storing said software, and to 
control the decoder to implement the services 
identified by the software; and 

in a broadcasting station, means for 
repetitively inserting in a broadcast digital data 
stream both a sequence of blocks representing said 
application software and information describing 
indentification features of only those decoders that 
are to be loaded. 



19/ An installation according to claim 18, wherein the 
% processor module comprises, in addition to the 

I rewritable memory, a processor, a volatile memory (36) 

| that is directly accessible by the processor, and a 

non-volatile memory zone which is protected, not 
rewritable, and which is protected agaist access from 
the outside. 

20/ An installation according to claim 19, therein the 
protected non-volatile memory zone is part of a flash 
memory. 



REMARKS 



Claims 11 - 20 are in the case. The claims of the PCT 
application have been reviewed for better compliance 
with U.S. patent Office practice and for removing 
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A METHOD AMD AN INSTALLATION FOR DOWNLOADING A USER 
DECODER PLATFORM 

The present invention relates to the field of 
decoders used by subscribers to digital television, in 
particular when access is conditional - 

Most digital television operators presently 
broadcasting in Europe offer decoders for hire. Such 
decoders enable all of the services of a given operator 
to|be received. Abroad, decoders are already being sold 
by j retail chains. However, each decoder is dedicated to 
a single operator or to a well -determined and unvarying 
group of operators. Consumers are not keen to buy such 
relatively expensive goods, particularly when they are 
not sure that they wiHL enjoy the program pack offered by 
the operator or when wiey know that a purchased decoder 
will not be usable for receiving a pack that becomes 
available in the future. 

The continuing increase in the number of television 
operators and in the additional services they provide, 
such as electronic program guides, pay-per-view, etc., 
make this situation less and less acceptable for the 
user." i 

The hardware platforms for decoders that receive 
satellite-broadcast television directly are standardized. 
ETSI 1 s DVB standard requires all manufacturers to use a 
common hardware structure for decoders. In addition, it 
optionally provides fo£ a common interface enabling 
modules for controlling access to different program packs 
to be connected in the/ form of PCMCIA cards suitable for 
insertion in a connector of a decoder. That solution is 
expensive. It require^ numerous functions to be 
duplicated. Although it enables television broadcasts 
coming from a plural ±4y of operators to be received by 
changing card, it generally does not give access to the 
associated services- 

An additional difficulty lies in that the platforms 
for receiving a singl^ pack can come from a variety of 
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suppliers using different hardware, and only having a 
common application engine as imposed by the operator such 
as OPEN TV, MEDIA HIGHWAY, DAVID (digital audio-video 
interacting decoding) , constituting a software layer at 
5 intermediate level. However, different operators 
generally require dif^rent application engines. 
Furthermore, a later version of the same platform can 
include additional features, giving access lo services 
which at present remain inaccessible to people who 
10 possess earlier versions. 

Documents US-A-5 440 632 and US-A-5 619 250, to 
q which reference can be made, describe television 

^ terminals having respective platforms designed to 

72. download program updates for controlling the 

?:] 15 microprocessors in all' terminals, in some terminals only, 
Cp or in a single terminal. However those documents do not 

H- envisage the possibility of making it possible to switch 

2 from one operator to another* 

O The present invention seeks in particular to provide 

i: 20 a method and apparatus making it possible for a decoder 
ti\ platform to be general -purpose, suitable for receiving 

u broadcasts coming from different operators, regardless of 

W whether they use the same access control mode and/or the 

same application engine. 
25 To this end, the invention provides in particular a 

method of downloading application software specific to an 

operator into a general -purpose digital television 

decoder platform, in which: 

• a secure boot loader is stored definitively in a 
30 protected and non- rewritable memory zone of the platform; 

• a message identifying the platform and containing 
the application program making the platform suitable for 
decoding the data stream of the television signal of an 
operator and for processing its services is broadcast 

3 5 periodically in the digital television signal that comes 
from the operator arjdJthat is designed to be accessible, 
each of said messages ^having an electronic signature; 
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- - on reception, the messages containing the program 

and identifying the platform and the operator are 
selected, decoded; and written into a rewritable program 
J- memory, optionally on user command. 

5 Thus, either initially or during a subsequent 

download, the user can select an operator chosen from a 
list of operators who have made agreements with the 
decoder manufacturer, even though they might use 
languages (API) that are very different from one another 
10 for describing their applications or services. 

Both in structure and in function, this method is 
completely different from merely downloading an update of 
supplementary software, reserved to subscribers of a 
J; single operator. It is also very different from merely 

?! i 15 transmitting messages for managing access authorizations, 
[fi \ known as EMM. It makes it possible to access any one of 

yi a plurality of different packs using the same platform, 

u f and to do so in simple manner. 

Two different situations can arise; both of them can 
In 2 0 be dealt with by implementing the invention. 
0 The first situation is where the operator seeks to 

allow a user who already has a decoder to abandon the 
fi pack of a competitor in favor of the operators own pack. 

Under these circumstances, the user cancels the 
25 subscription to the competitors pack and subscribes to 
the new pack by a procedure that can be conventional, 
' and requests downloading of the application software for 

the pack that is to be received- In the software as 
broadcast, the operator includes filter elements allowing 
30 only that particular owner of a platform to store the 
program. Thereafter, the user, e.g. by means of the 
remote control, calls the "boot loader program which 
presents a menu enabling the user, again by means of the 
remote control, to input the parameters of the 
35 transponder for the pack that is to be received. The 
downloading process is then launched and its duration 
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depends on the bandwidth allocated by the operator to 
this function in the broadcast. 

The downloaded application software is written in a 
program memory. It can be a flash memory which takes a 
5 long time to^write. For an operator who makes provision 
for this possibility only, it can suffice to transmit the 
application software giving access to the pack overnight 
only and in the form of successive packets transmitted at 
long intervals , which puts very little burden on the data 

10 rate available for television and other kinds of data. 

The othJr situation is where competing operators 
wish to allow a common subscriber to jump between packs. 
Under such circumstances, an application program can be 
downloaded frequently in order to replace a program in 

15 memory. In order to avoid a wait that is too long (due 

to the time required to write flash memory) , the programs 
are then stored and executed from program RAM that 
replaces or constitutes a front end for the flash memory. 
The presence of flash memory in addition to RAM makes it 

20 possible to conserve a version of the program in non- 
volatile form. In the absence of flash memory, 
downloading needs to be performed after each power 
interruption. 

In addition to downloads performed at the initiative 
25 of the subscriber, it is possible to make provision for 

imposing updating downloads or function- adding downloads 

to take account of operating changes. 

The method must satisfy two requirements* It must 

be selective, i.e. it must enable only certain platforms 
30 to be targeted; and it must be effective, making it 

possible within a given message to designate all of the 

platforms which are to receive the same version of the 

software . 

These two functions can be performed by an operation 
35 that can be referred to as "filtering", which consists in 
specifying the decoders concerned by a given data stream 
by means of indications written either in the header of a 
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software download stream or in the information tables 
associated with services (PS I and SI) . For this purpose, 
the header (or the P^Is or the Sis) can include a 
plurality of fields defining characteristics which are 
5 also recorde<| in the platforms. These characteristics 

can be unchaining, such as those of the hardware portion, 
and others can be changing, such as those of the software 
portion. 

The invention also proposes an installation for 
10 downloading application software into digital television 
decoder platforms, the installation comprising: 

- in each platform, a general -purpose processor 
module that is independent of any operator and that 
serves: to select and extract a data stream representing 
15 application software specific to the program pack offered 
by an operator, to record it in a rewritable program 
memory for storing said software, and to control the 
decoder to implement the services identified by the 
software; and 

20 - with the broadcaster, means for inserting in 

repetitive manner in the b-roAdeast digital data Biream 
both a sequence of blocks representing said specific 
software and information describing the characteristics 
of only those decoders that are to be loaded. 

25 The selection and extraction means can be 

constituted by a general -purpose processor module that is 
independent of the operator for performing all of the 
functions. 

In a variant embodiment, all or part of the program 
30 (or of software giving access to the program) can be 
transmitted over the telephone network, providing the 
platform includes means for being coupled thereto. 
Nevertheless, this complication is generally not 
necessary since the bandwidth required for transmitting 
35 an application in a reasonable length of time remains 

small- For example, if an operator is using a satellite 
channel with a bandwidth of 36 MHz together with four 
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transponders, only 1% of the available data rate, i.e. 
about 1.2 Mbits/s needs to be given over to downloading a 
piece of software of average length, 1 MByte, in about 
8 seconds . 

If program changing is expected to be exceptional, 
for the purpose of changing subscription, then 
transmission can be performed at an average data rate 
that is extremely low and th*L will have no perceptible 
influence on the available bandwidth. 

The above characteristics and others will appear 
better on reading the following description of a 
particular embodiment, given by way of non-limiting 
example. The description refers to the accompanying 
drawings, in which: 
15 . Figure 1 is a block diagram showing the hardware 

architecture of a platform comprising a decoder 
associated with a television set; 

• Figure 2 is a diagram showing downloading; 

• Figure 3 shows one possible header structure {or 
private descriptor in a PSI or an SI table) for filtering 
purposes; 

• Figure 4 shows a loading sequence; and 

- Figure 5 is a diagram showing one possible way of 

managing keys. 

The invention is described essentially in its 
application to a decoder for receiving digital television 
signals of the MPEG2 type, constituted by a multiplex 
made up of successive packets. The packets convey: 

• the audio and video components; and 

30 • digital data, including the software to be 

downloaded. 

The architecture of a decoder platform is generally 
as shown diagrammatically in Figure 1. It comprises; 

- a network interface 10 performing reception and 
35 demodulation functions, and of structure that depends on 

the network (cable network, satellite direct broadcast, 
terrestrial broadcast network) ; 
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• a time demultiplexer 12 which also performs 
unscrambling, for separating the components of the 
received signal; 

• audio and video decoders 14 and 16; and 

5 - a data processing and decoder management module 

18. 

The operation of the demultiplexer 12 depends on the 
module 18 • It serves to direct video packets to the 
video decoder 14, audio packets to the audio decoder 16/ 
10 and data to the module 18. It unscrambles the components 
tha£ have been scrambled on transmission to control 
access . 

- The audio and video decoders 14 and 16 perform MPEG2 
decompression and deliver the decompressed digital 

15 information to digital-to-analog converters 20 and 22 
which output audio and video signals usable by a 
television set* 

The module 18 manages all of the elements that are 
internal to the decoder and also user interface elements 

20 24 ^such as a keypad, a remote control infrared receiver 
23, and a display. It can also drive an input/output 
interface 25 connected to optional elements suitable for 
extending the facilities available, such as a telephone 

modem 26 or a high-speed interface 28 for connection to a 

i 

25 microcomputer - The processor is also generally connected 
tola connector 29 for receiving a microcircuit card or 
smj|rt card, ^.g. containing circuits for computing an 
unscrambl ing 1 key . 

The module 18 has a processor 30 connected by a bus 

30 32 to memories. In conventional manner, these memories 
comprise: 

• a read-only memory or ROM 34 which is not volatile 
and not reprogrammable without hardware intervention, 
which memory is directly accessible by the processor; 

35 -a volatile working memory or RAM 36, directly 

addressable by the processor and intended for 
manipulating data* 
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To enable the invention to be implemented, the 
memories aljj£> include additional memory spaces serving in 
particular to store: 

- a loader program for initialization and starting 
5 purposes, referred to as a "boot loader", situated in a 

memory zone that is not volatile, protected, and not 
rewritable (the non- rewritable nature of this zone can be 
obtained, for example, by masking during manufacture); 
and 

10 • the complete operating software for a digital 

program pack specific to a private operator, with this 
being in a zone that is rewritable. 

In the example shown in Figure 1, the memories 
comprise, for this purpose: 
[5 . a reprogrammable non-volatile memory 38 that is 

directly accessible by the processor, serving to receive 
the application software, e.g. a flash memory; this 
memory can be designed to store the programs specific to 
a plurality of packs if the platform is designed to make 
it possible ^o jump between packs without having to wait 
for re-loading; in general, it contains the operating 
software; 

- a non-volatile memory 40 designed to receive 

I configuration data for the decoder; this memory which is 
5 not necessarily addressable by the processor can be an 
electrically reprogrammable read-only memory or EE PROM . 

The ROM 34 can ^% a non-modifiable portion of the 
memory 38, if the merhicy 38 is a flash memory. 

The software arcmtecture of the decoder can be 
|o considered as having tliree functional levels or layers, 
the driver layer, the System layer, and the interactive 
application layer. 

The driver layer is specific and matches the 
hardware architecture. It is this layer which makes it 
tS possible to perform "|he hardware functions provided by 

the decoder. j 

V 



I 
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The system layer manages the platform and provides 
the general services, including the application engine, 
that are required to enable it to operate, and also the 
services that are called by the interactive applications, 
To perform this function, the system layer generally has 
an interpreter, serving to transform source code into 
object code. However a compiler is not necessary since 
it suffices if transformation is performed on each new 
use of the system layer. 
10 | Finally, the interactive application layer provides 

local interactivity and makes use of the application 
engine; it can also be designed to constitute the 
interface with the modem 26 for connection to a telephone 
line. This layer has user interface applications which 
15 I call on services provided by the system layer. 

The applications and the associated resources are 
partially resident, i.e. stored in permanent manner in 
the ROM of the decoder, and they are partially downloaded 
by the system layer from the MPEG2 standard television 
2 0 i signal, 

The user interface applications are generally 
written in a script language. The system layer 
interprets the script language information and manages 
activation and downloading o£ interactive applications. 
25 I This system layer is loaded into the platform in the form 
of a code that can be interpreted directly by the 
processor 3 0 * 

Switching fromfcne pack to another corresponds 
mainly to reconfiguring the memories. 

30 

Downloading opera ticfts 

An application program is downloaded as follows. 
Changing pack implies loading all of the software 
enabling the pack tct be processed, and this is 
35 1 independent of any special features concerning access 
control mode . 
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For this purpose/ it is necessary to load or change 
software residing in the decoder, which is done by 
reinitialising all of the program memory 38/ which is 
generally a flash memory. 

The data which is transmitted to the platform during 
downloading to reinitialize the flash memory 38 is the 
same for all platforms having the same hardware 
structure. 

The diagram of Figure 2 corresponds to downloading 
making use of the data portion of the broadcast stream. 
The software to be loaded is in the form of a file. 
Within the platform, it is extracted and sent to RAM 36 
where it is reassembled prior to being written in the 
program memory 38 which will thus end up with the driver 

flayer, the system layer,, and the application layer, 

Jincluding the application engine. 

1 Under other circumstances, downloading can take 

place via the input/output interface 25, using a modem or 
a microcomputer. 

Under all circumstances, downloading implies, at the 
broadcaster, generating image files for writing in the 
program memory 3 8 of the platform. These files can be of 
a very wide variety of kinds: 

• already-compiled object files; 

• applications written in script language; 

• other functions such as a library function. 
The "image" files as constituted in this way are 

then formatted to adapt them to the method of 
transmission that is to be used, i.e. either over the 
television program broadcast network or else over the 
wire network. 

In both cases, the first operation performed in the 
platform, on receiving files, is selectivity filtering so 
that only those applications programs which come from a 
specific program supplier are loaded. As explained 
below, this operation can be accompanied by checking an 
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electronic signature in the header of the data stream 
constituting the application software to be loaded. 



10 
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Selectivity filtering makes it possible to ensure 
that the application program is loaded into identified 
platforms only, and to ensure that it is loaded into all 
Jsuch platforms. At any given moment, there exists 
■jnumerous types of platforms that are in operation, and as 
1 3 a general rule they contain different software. Even if 
they are of different types, platforms that are initially 
intended for a given operator or program supplier will 
lall have the same application engine. However the 
• ^application engine changes on switching from a platform 
jprogrammed to receive the pack from a particular supplier 
br operator to a platform programmed for another 
^operator: it therefore needs to be replaced in the 
application memory* 

Depending on the origin of the decoder and the 
hardware architecture of the decoder, the elements which 
can change include the following: 

the manufacturer of the decoder, where 
manufacturers often make use of proprietary architecture; 

decoder acquisition mode (rental, purchase, 
purchase with a subsidy dedicating the decoder to a 
'particular operator for a determined duration) which can 
rlgive rise to different access control functions and thus 
Ito different system layers ; 

J . date of acquisition , since the software might have 

■been modified over time. 

All of these elements are included in an identifier 
jof the decoder, which identifier can include the 
following fields, in particular: 
C x : manufacturer identifier; 
C 2 : version of the hardware software ; 
C 3 : acquisition mode (rental, subsidized sale, non- 
subsidized sale, etc.); 
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C 4 : software identifier, specifying the version of 
the software currently loaded in the decoder; 

C s : individual serial number of the decoder - 

Unlike the others, the field C 4 will be changed on 
each download. 

To make filtering possible, an identifier is 
provided in each decoder, and each data stream 
representing application software includes parameters 
enabling reloading or updating operations to be performed 
only in appropriate decoders. 

The header will include respective fields allocated 
to each of these parameters. 

By way of example, Figure 3 shows One possible 
structure for the header of a data stream; this header is 
constituted by a block of N bytes, preceded by a block 
specifying the number N. 

Each field of the decoder corresponds either to a 
single selection filter specified by the corresponding 
field of the header, or else to a plurality. Loading can 
take place in a decoder only when all of the filtering 
operations give rise to a positive result. 

The first field C x can be limited to a single filter 
F-L recorded in ROM, specifying the manufacturer concerned 
by means of an identity number ID. 

The second field C 2 can comprise a plurality of 
filters, corresponding to different versions of the 
platform, and a filtering operator constituted by an OR 
function: for the filtering result to be positive, it 
suffices that one of the filters F 2i recorded in ROM 
should match C 2 . 

The field C 3 can be constituted by a single filter 
F 3 , with the filtering operator then being an 
intersection. The result of filtering is positive if 
C 3 aF 3 is non-zero. 

The field C 4 has a single filter F 4 , and the 
filtering operator is then the comparison operation C 4 <F 4 : 
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loadi^ needs to take place in all decoders that have not 
yet be$n upd^ed. 

The field C 5 is generally longer than the others, and 
comprises 32 bits, for example; e.g. it will contain a 
plurality of filters F 5j each giving a bottom limit and a 
top lliit, identifying a series of decoders for which 
updating shopld be performed. The result of filtering is 
positiye if the value contained in the field C s of the 
identifier lies between the two values given by at least 
one of** the filters F sj . 

The field C 6 specifies the operator (or the 
operators) with whom a subscription has been taken out. 
It ha^one or more filters F 6 recorded in rewritable 
memory. 




Aflflrqssinq 

rie data to be written in the application memory 38 
ismitted to the decoder with an indication of the 
Us at which it is to be copied into the memory 38. 

can happen, particularly when a formatting RAM 36 
ited upstream from the program memory 38, that the 
>r a complete program cannot be acquired in a 
single operation or using a single address. 

* Under such circumstances, the data representative of 
the Is Jft ware to be downloaded is transmitted to the 
decldi in the form of successive blocks of contiguous 
datA, J&nd the data of any one block is copied into the 
samf Jkdress in the program memory 38. The loading of 
software into the program memory 3 8 can then be sequenced 
in the manner shown diagrammatically in Figure 4. Each 
of the successive data blocks has a starting address A 2 , 
. . . , A n specifying an address in the program memory 38, 
followed by a data portion D x , D n , and an error 

correJping code. These blocks are preceded by 
transmission of a header block 44 having an application 
descriptor DA and descriptors DD X , DD n for the 

successive blocks. The starting addresses make it 



J 
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possible for writing to take place immediately in the 
program memory 3 8 . 

Tli header block identifies the application to be 
loaded fand lists the blocks that make it up. The data 
blocks making up the application are managed on the basis 
of image blocks which have transport security information 
added tjhereto constituted by a code for detecting (and 
optionally correcting) any errors. This can be 
constituted in particular by a cyclic redundancy check, 
10! generally referred to by the abbreviation CRC. 

In; practijce, when a subscription is being loaded, 
downloading takes place as follows. After switching on, 
the usejr starts the downloader program by pressing one or 
more kftys of the remote control. This program presents a 
is8f menu enabling the user to input parameters of the home 
transponder, and of the new program pack (at least 
frequency, polarization, error correction code rates, and 
symbol jrate) by means of the remote control. To make 
this task easier, this information can be input in 
compacj form, 'e.g. in the form of a few decimal digitB 
given ?y the operator when the subscription is taken out. 
Pressd rig on the confirm key then launches downloading. 
This c iwnloading operation relies on the monitoring and 
selection functions that use the fields C^-Cg, The 
following take plauu* 

■ the operator, the version number, and the 
manufacturer are checked; 

• the version number, the manufacturer, the serial 
number are selected, with selection being possible 
without requiring an authentication process. 

As mentioned above, downloading is made secure so as 
to prevent : 

- 3 downloading of data that is not transmitted by an 
authorized operator; 

■ downloading of data into a platform that is not 
authorized to receive it. 



2 Oil 



25! 



3d 



T 



Fax emis par (0)1 42 



r 



59 CABINET PIASSERAUD le 03/03/00 16:29 A4 NORM Pg: 18/31 



15 



10 



15 



20 



25 



30 



Sepurity can be based on encryption using private 
and/or public keys- It is known that public key 
encryption uses an algorithm that is difficult to 
reverse* such that knowledge of the public key and of the 
encoded Message does not suffice to return to the 
original message without performing calculations that 
will tal|e an unrealistic length of time. 

figure 4, dashed lines show additions to be 
to the header 44 so as to make the message 



35 




data block is associated with a signature S x , 
phich is included in the header. The signature, 
Lated from the data of the corresponding block , 
verify that the block is authentic. 
In: addition, the header has a signature which is 
transmii ted in encrypted form S« The encryption 
algorit] m for the signature of the header block is a 
private- key algorithm, e.g. of the RSA type. The private 
key is 1 nown only to the manufacturer. The non-encrypted 
signatu: h e is calculated on the basis of the encrypted 
signatu; e S in the decoder by means of a public key 
algorit»i stored in the ROM 34 or in a protected zone of 
the program memory 38 , if it is a flash memory. 

The signature S serves to verify the authenticity of 
the healer block, and thus of the data that it carries, 
and in particular of the signatures S 1/ S n . 

Th# way in which keys and functions are shared when 
a plurality of operators 1 , . . . , i are grouped together 
to use Jpmmon private keys, can be as shown in Figure 5. 
On the basis of common private keys, the operators give 
the manufacturer of the decoder software public keys 
which at written into the ROM 34 at the same time as the 
filters' F x , F 2i , F 5j . 

The instructions for booting the decoder when it is 
put inti operation are also stored in ROM, together with 
the updating loader of the terminal. To mitigate cases 
of corruption in the program memory 38, particularly if 
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it is aJlf lash memory, due to an interruption occurring 
during Spading/ the updating function of the terminal is 
direct ^■associated with the boot function of the decoder 
process*:" in the event of corruption being observed- 
invention makes it possible to allow 
relatiqilships between operators and users to change in 
simple Tfenner. Because the operator identifier is stored 
in flaslf memory, unlike the other parameters which are 
stored i|i ROM, it is possible to reallocate a hired 
10 decoder yhen it is returned- A decoder can be "freed" of 
any conr action with any particular operator. Selection 
is perfc rmed by logic operations that are simple and that 
can be : mplicit by default. 

Tn r.hft particular circumstance of broadcasting using 
15 the MPE< 2 standard, the data for updating and loading 
applicat ion software is conveyed in a private data DVD 
nx service of the type specified in the standard as 

nj "terming 1 update". The blocks constituting the software 

1 to be 1< aded are split up into elements having a maximum 

nl 20 size of 4064 bytes, each element having a 16-byte header. 
H A servi< e for updating or reloading software is 

identif ed on the basis of network signalling data. 
X-% Thj ; method of the invention for downloading 

applicaj ion software does not interfere in any way with 
2 5 _downloa< ing software updates from the current operator, 
fi,e. thi operator with whom the user has taken out a 
• subscritition . 
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CLAIMS 

1/ A method of downloading application software specific 
to an operator into a general -purpose digital television 
decoder platform, in which: 
5 • • a secure boot loader is stored definitively in a 

protected and non- rewritable memory zone of the plat form ; 

- a message identifying the platform and containing 
the application program making the platform suitable for 

it 

- decoding the data stream of the television signal of an 
10 operator and for processing its services is broadcast 

periodically in the digital television signal that comes 

- from the operator and that is designed to be accessible, 
each of said messages having an electronic signature; 

• on reception, the messages containing the program 
15 and identifying the platform and the operator are 

selected, decoded, and written into a rewritable program 
memory (38) , optionally on user command, 

2/ A method according to claim 1, characterized in that 
the application software is transmitted in the form of 
data to be programmed^ in said writable memory, in the 
form of data blocks each copied at a respective address 
(A x , An) of the writable memory and supplied in the 

header of the block. 

3/ A method according to claim 2, characterized in that 
the data blocks are preceded by a header block comprising 
a description of the application and of each of the data 
blocks - 

4/ A method according to claim 3, characterized in that 
each data block includes an error correction code, such 
as a cyclic redundancy code. 

b/ A method according to claim 3 or 4, charauLex'iuea in 
that the header includes at least one of the following 

fields: i 

] 
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• the identity of the platform manufacturer (Cj.) ; 

• the hardware version of the platform (C 2 ) ; 

- the mode whereby the decoder was acquired (C 3 ) ; 

• the identity of the current version of the 
software (C 4 ) ; and 

• the individual serial number of the decoder (C s ) . 

6/ A method according to claim 2, characterized in that 
the SI or PSI information associated with the broadcast 
messages and containing application programs include at 
least one of the following fields t 

- the identity of the platform manufacturer; 

• the hardware version of the platform; 

• the decoder acquisition mode; 

• the identity of the current version of the 
software ; and 

• the individual serial number of the decoder. 

7/ A method according to claim 4, 5, or 6, characterized 
in that each of the data blocks is associated with an 
encrypted signature included in the header, and in that 
the header itself includes an encrypted signature, 

8/ An installation for downloading application software 
into digital television decoder platforms, the 
installation comprising: 

• in each platform, a general -purpose processor 
module that is independent of any operator and that 
serves : to select and extract a data stream representing 
application software specific to the program pack offered 
by an operator/ to record it in a rewritable program 
memory (38) for storing S*id software, and to control the 
decoder to implement the services identified by the 
software; and 

• with the broadcaster, means for inserting in 
repetitive manner in the broadcast digital data stream 
both a sequence of blocks representing said specific 
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software and inf ormation describing the characteristics 
of only those decoders that are to be loaded* 

3/ An installation according to claim 8, characterized in 
that the processor module comprises, in addition to the 
rewritable memory (38) , a processor (30) / a volatile 
working memory (36) that is directly accessible by the 
processor, and a non-volatile memory 2one (34) which is 
protected, not rewritable, and which has secure access. 

10/ An installation according to claim 9, characterized 
in that the protected non- volatile memory zone (34) forms 
part of a flash memory (38) „ 





i 
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ABSTRACT 



A METHOD AND AN INSTALLATION FOR DOWNLOADING A USER 
DECODER PLATFORM 



10 



15 



To download the application software specific to an 
operator into a general -purpose digital television 
decoder platform; a secure boot loader is stored 
definitively in a protected and non-rewritable memory 
zone of the platform. A message is broadcast 
periodically in the diyiLal television signal coming from 
an operator that is designed to be accessible, the 
message containing the application program for making the 
platform suitable for decoding the data stream of the 
television signal from the operator and for processing 
the services. The message includes an electronic signal. 
On reception, the messages containing the program are 
selected, decoded, and written into the rewritable 
program memory, optionally on user command* 
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